US9224006B1 - System and method of secure data access - Google Patents
System and method of secure data access Download PDFInfo
- Publication number
- US9224006B1 US9224006B1 US14/811,996 US201514811996A US9224006B1 US 9224006 B1 US9224006 B1 US 9224006B1 US 201514811996 A US201514811996 A US 201514811996A US 9224006 B1 US9224006 B1 US 9224006B1
- Authority
- US
- United States
- Prior art keywords
- user
- request
- hardware
- data access
- query
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000013500 data storage Methods 0.000 claims abstract description 55
- 238000004458 analytical method Methods 0.000 claims abstract description 22
- 238000013349 risk mitigation Methods 0.000 claims abstract description 8
- 230000001629 suppression Effects 0.000 claims abstract description 7
- 238000001514 detection method Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 10
- 230000007246 mechanism Effects 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 8
- 230000007717 exclusion Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 101100156763 Schizosaccharomyces pombe (strain 972 / ATCC 24843) wos2 gene Proteins 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000007630 basic procedure Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Definitions
- the present disclosure relates generally to the field of information security, and in particular, to a system and method of secure data access.
- the volume of information used by people is constantly increasing. By 2019, global consumer IP traffic is expected to reach 138,410 petabytes per month at a 24 percent compound annual growth rate.
- This information can include different documents, articles, reference information and so on.
- different data storage mechanisms are used, including relational and non-relational databases. Along with the need to store huge volumes of data comes the necessity of protecting this data from unauthorized access.
- DBMS database management systems
- One technical result of the disclosed aspects is the mitigation of possible risks that an enterprise's information may be accessed, stolen and/or used by criminals.
- an example method for providing multi-level data access security includes performing an analysis of hardware and software of a user's computer system in order to mitigate the risk of unauthorized data access; receiving a user's request for data access from an application on the user's computer system, wherein the request contains a query for retrieving data; modifying the user's request for data access for possible risk mitigation based on results of the hardware and software analysis; authenticating a user sending the request for data access and redirecting the request for data access in case of successful authentication; identifying user's clearance level; retrieving query result from data storage based on user's clearance level and user's query; applying access control policies to query result for modifying query result in order to exclude from query result information requiring suppression; and transmitting final query result to the user's computer system.
- software analysis includes vulnerability detection with respect to the applications present within the user's computer system.
- hardware analysis includes vulnerability detection with respect to the devices of the user's computer system.
- hardware analysis includes detection with respect to untrusted data storage mechanisms.
- hardware analysis includes vulnerability detection with respect to network hardware used for communication.
- modifying user's request includes an exclusion from the query of reserved value names.
- an example system for providing multi-level data access security comprising a processor, configured to perform an analysis of hardware and software of a user's computer system in order to mitigate the risk of unauthorized data access; receive a user's request for data access from an application on the user's computer system, where request contains a query for retrieving data; modify user's request for data access for possible risk mitigation based on hardware, software analysis results; authenticate a user sending the request for data access and redirect the request for data access in case of successful authentication; identify user's clearance level; retrieve query result from data storage based on user's clearance level and user's query; apply access control policies to query result for modifying query result in order to exclude from query result information requiring suppression; and transmit final query result to user's computer system.
- a non-transitory computer-readable storage medium storing computer program product comprising computer-executable instructions for providing multi-level data access security, including instructions for performing an analysis of hardware and software of a user's computer system in order to mitigate the risk of unauthorized data access; receiving a user's request for data access from an application on the user's computer system, wherein the request contains a query for retrieving data; modifying the user's request for data access for possible risk mitigation based on results of the hardware and software analysis; authenticating a user sending the request for data access and redirecting the request for data access in case of successful authentication; identifying user's clearance level; retrieving query result from data storage based on user's clearance level and user's query; applying access control policies to query result for modifying query result in order to exclude from query result information requiring suppression; and transmitting final query result to the user's computer system.
- FIG. 1 is a block diagram illustrating a system of secure data access, in accordance with some aspects.
- FIG. 2 is a flow chart illustrating a method of secure data access, in accordance with some aspects.
- FIG. 3 is a block diagram illustrating a general-purpose computer system on which aspects of the invention can be implemented.
- Example aspects are described herein in the context of a system, method, and computer program product for secure data access. Those of ordinary skill in the art will realize that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will readily suggest themselves to those skilled in the art having the benefit of this disclosure. Reference will now be made in detail to implementations of the example aspects as illustrated in the accompanying drawings. The same reference indicators will be used to the extent possible throughout the drawings and the following description to refer to the same or like items.
- the computer system can be one physical machine, or can be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model.
- the disclosed systems, methods and computer program products can be configured to run in virtual machines (e.g., system virtual machines, operating system-level virtual machines, process virtual machines, or any combination thereof) that in turn are executed on one or more physical machines.
- virtual machines e.g., system virtual machines, operating system-level virtual machines, process virtual machines, or any combination thereof
- FIG. 1 is a block diagram illustrating an example system of secure data access.
- Enterprise infrastructure 117 may include a combination of hardware and software components for secure access to the data stored within said infrastructure 117 .
- Data storage 130 is used to store various types of information including information of different security levels, for example “top secret”, “secret”, “confidential” and “unclassified”. These security levels reflect the importance of the stored data being revealed to someone who is authorized to get access to the corresponding security level of the data.
- user is authorized to get access to information of a particular security level (for example “top secret”) is also authorized to get access to data with a lower security level (for example “secret”, “confidential” and “unclassified”).
- the data storage 130 may include a database configured to execute queries, received from user 105 , and modifying the query results according to the user's 105 clearance level.
- the data storage 130 is also configured to request a user's 105 clearance level from access control module 140 .
- data storage 130 may include an Apache Accumulo database having a cell-level security feature used for flexible access policy usage.
- Data storage 130 is connected to a logging module 120 and access control module 140 .
- user 105 makes a corresponding request (query) to the data storage 130 with the help of user's 105 computer system (by means of web-browser or specialized application).
- the user 105 is located outside the enterprise infrastructure 117 .
- user's query goes through a number of processing operations (which will be described further below) before it reaches the data storage 130 .
- user's 105 query includes user's 105 identification credentials such as username and password or a digital certificate paired with a password.
- the first step of the processing of the user's 105 query is performed by the security module 115 .
- security module 115 processing the query reaches enterprise infrastructure 117 and namely, web server 116 .
- the web server 116 serves as the primary means of interaction between user 105 and data storage 130 .
- the web server can be implemented by means of the Apache Tomcat Server.
- the web server 116 is configured to redirect user's abovementioned identification credentials and to an access control module 140 .
- the web server 116 redirects the whole query including the identification credentials to the access control module 140 .
- the web server 116 is also capable of sending the user's 105 query to a logging module 120 for further redirecting to the data storage 130 and of transmission query results received from the logging module 120 to the user 105 .
- the access control module 140 provides authentication, authorization and user management functionality.
- the access control module 140 receives user's 105 identification credentials (or extracts from the received query) and compares it with stored credentials of all known users.
- known users identification credentials are stored in a profile database 160 .
- further query processing can be permitted or not.
- the access control module is capable of transmitting information concerning user's 105 clearance level by the request of the data storage 130 .
- the access control module 140 is also configured to apply access control policies stored in access control policy database 150 to the query results received from the logging module 120 .
- the access control module 140 can be implemented by the means of WSO2 Identity Server, meanwhile the access control policy database 150 can be implemented by the means of WSO2 Governance Registry.
- the logging module 120 provides logging, auditing all the data and security transactions and the ability to alert administrators and security managers of any anomalous or insecure activity.
- the logging module is configured to send the user's 105 query to the data storage 130 .
- the logging module is also configured to transmit the query results to the access control module 140 for further access policy application. Modified user's 105 query results are sent by the logging module 120 and back to the user 105 .
- the logging module 120 also acts as an Enterprise Server Bus (ESB), which provides data transport.
- EDB Enterprise Server Bus
- Security module 115 is configured to analyze user's 105 environment in order to detect software and hardware vulnerabilities and to modify user's 105 queries to the data storage 130 according to the vulnerabilities detection results, wherein the data storage 130 is a part of enterprise infrastructure 117 .
- the aim of the analysis is to determine a vulnerability rating, representing according to one aspect a number from 0 to 100. The higher the vulnerability rating, the higher the possibility of user being a victim of a cyber attack, and the higher the risk of information stored in data storage 130 being accessed and/or stolen by criminals.
- Software and hardware (including removable data storage and network hardware) of the user's 105 computer system are analyzed for determining the vulnerability rating.
- security module 115 scans software present within user's 105 computer system and compares it with a list of known vulnerabilities for different application versions.
- a database containing a list of known vulnerabilities which is periodically updated with information about new versions of applications and its known vulnerabilities is used to detect user's 105 software vulnerabilities.
- the result of software analysis is a software vulnerability rating, a number from 0 to 100 according to one aspect, the higher the software vulnerability rating the more known software vulnerabilities present on user's 105 computer system.
- the following equation may be used to calculate software vulnerability rating, wherein X is a total number of known application vulnerabilities within user's 105 computer system:
- security module 115 scans hardware present within user's 105 computer system as well as network hardware used for communication with data storage 130 (routers, hubs, etc.) and compares it with a list of known vulnerabilities for different devices.
- a database containing a list of known vulnerabilities which is periodically updated with information about new versions of known hardware vulnerabilities is used to detect user's 105 hardware vulnerabilities.
- the result of software analysis is a hardware vulnerability rating, a number from 0 to 100 according to one aspect, the higher the hardware vulnerability rating the more known hardware vulnerabilities present on user's 105 computer system or network communication infrastructure.
- untrusted data storage mechanisms are considered to be vulnerable hardware.
- These untrusted data storage mechanisms can be detected by comparing its serial numbers with the list of serial numbers of trusted data storages.
- the list of serial numbers of trusted data storage mechanisms can be stored in a database within the security module 115 .
- the formula used to calculate software vulnerability rating is the same as the formula for calculating the software vulnerability rating, wherein X is the total number of known hardware vulnerabilities within user's 105 computer system and network infrastructure used for communication with the data storage 130 .
- the resulting vulnerability rating calculation is based on earlier determined software and hardware ratings.
- vulnerability rating is an arithmetic mean of the hardware and software vulnerability ratings.
- vulnerability rating is a quadratic mean of the hardware and software vulnerability ratings.
- the vulnerability rating is another power mean of the hardware and software vulnerability ratings.
- the security module 115 is also configured to intercept user's 105 query to the data storage 130 .
- the security module 115 is capable of performing heuristic-based actions depending on the information contained in the query to the data storage 130 , for example the security module 130 can inform user's 105 supervisor about query processing, require additional authentication for query transmission to the data storage 130 , modify the query itself and even prohibit the query transmission for possible risk mitigation.
- the security module 115 extracts from the intercepted query information concerning data that should be received from the data storage 130 , for example in case of a SQL-based query the security module extracts value names of the supposed query result.
- the security module 115 determines locations of the user's 105 computer system and data storage 130 or the whole enterprise infrastructure 117 by analyzing the IP-addresses of the source of the query request (user's 105 computer system) and the destination IP-address in order to avoid possible legal infringements caused by classified data being illegally transmitted from one country to another.
- the security module's 115 operational logic (referring to the user's 105 query) is implemented with the help of the set of heuristic rules that put into compliance various actions to certain conditions.
- the heuristic rules used by the security module 115 are some examples of the heuristic rules used by the security module 115 :
- the classified data is data corresponding to reserved data storage 130 field names.
- Said reserved data storage value names can be stored within the security module 115 .
- the classified data is information stored in the data storage 130 and marked as “top secret”, “secret” or “confidential” according to the abovementioned data classification.
- a list of countries, between which classified data transmission is prohibited, can be stored within the security module 115 as well and can include such countries as the USA, North Korea, Israel, Iraq and so on.
- Information concerning user's 105 supervisors can be also stored within the security module 115 , while such information is used for communication with a supervisor (for example via email) in the abovementioned cases described within heuristic rule examples.
- User's 105 abnormal activity is an atypical query. The security module 115 can identify such a query by comparing earlier user 105 queries (requested value names) with the current query. According to one aspect, abnormal activity is a query for classified data, if there were no classified data queries within the past 6 months.
- the security module 115 modifies a corresponding query, for example value names are excluded from the query if they correspond to classified data (abovementioned reserved value names).
- the query to the data storage 130 which can be also modified by the security module 115 by one of the abovementioned methods, is further transmitted to the enterprise infrastructure 117 and web server 116 in particular along with extracted information about user's location.
- FIG. 2 shows a flow chart illustrating an example method of secure data access.
- the security module 115 provides user's 105 software and hardware analysis calculating the vulnerability rating.
- the security module receives the user's 105 request for data access by intercepting the user's 105 query to the data storage 130 .
- the security module 115 modifies user's 105 request (query to the data storage 130 ) for data access. All the actions made by the security module 115 such as query modification, supervisor notification and so on are performed according to the set of heuristic rules used by the said module 115 .
- the modified user's query is transmitted by the security module 115 to the enterprise infrastructure 117 .
- the query Upon arrival at the web server 116 , the query, including identification credentials, is redirected to the access control module 140 for further authentication.
- the user 105 authentication is provided by the access control module 140 .
- the user's 105 query is transmitted to the data storage 130 via the logging module 120 .
- the data storage 130 Based on the identification credentials contained in the query the data storage 130 makes a request to the access control module 140 for the user's 105 clearance level identification.
- access control module 140 provides said clearance level identification resulting in acquiring user 105 entitlement information.
- the entitlement information is consistent with the BLP (Bell-LaPadula) model, the user's 105 clearance level and any compartments into which the user 105 has been read.
- the data storage 130 generates a query result filtering out those data values for each record from the result that are inconsistent with the user's 105 clearance level and compartments later. Filtering is the process of comparing the user's 105 clearance level and the result values classification level.
- the query results are sent to the logging module 120 by the data storage 130 .
- the logging module 120 redirects query results to the access control module 140 which reviews the query results to determine what types of access control policies are applicable.
- Access control policies provide a more flexible attribute based access control (ABAC) than BLP model by using cell-level access control rules.
- ABAC attribute based access control
- the query result from the data storage 130 is a set of tuples that appear as ⁇ Row ID, Column (family, qualifier, classification level), Timestamp, Value>.
- the access control module 140 After applying all the matched access control policies, the access control module 140 returns modified query results back to user 105 by transmitting the results through the logging module 120 and the web server 116 .
- FIG. 3 shows an example of a general-purpose computer system (which may be a personal computer or a server) 20 , which may be used to implement aspects of the system and methods disclosed herein.
- the computer system 20 includes a central processing unit 21 , a system memory 22 and a system bus 23 connecting the various system components, including the memory associated with the central processing unit 21 .
- the system bus 23 is realized like any bus structure known from the prior art, including, in turn, a bus memory or bus memory controller, a peripheral bus and a local bus, which is able to interact with any other bus architecture.
- the system memory includes permanent memory (ROM) 24 and random-access memory (RAM) 25 .
- the basic input/output system (BIOS) 26 includes the basic procedures ensuring the transfer of information between elements of the personal computer 20 , such as those at the time of loading the operating system with the use of the ROM 24 .
- the personal computer 20 includes a hard disk 27 for reading and writing of data, a magnetic disk drive 28 for reading and writing on removable magnetic disks 29 and an optical drive 30 for reading and writing on removable optical disks 31 , such as CD-ROM, DVD-ROM and other optical information media.
- the hard disk 27 , the magnetic disk drive 28 , and the optical drive 30 are connected to the system bus 23 across the hard disk interface 32 , the magnetic disk interface 33 and the optical drive interface 34 , respectively.
- the drives and the corresponding computer information media are power-independent modules for storage of computer instructions, data structures, program modules and other data of the personal computer 20 .
- the present disclosure provides the implementation of a system that uses a hard disk 27 , a removable magnetic disk 29 and a removable optical disk 31 , but it should be understood that it is possible to employ other types of computer information media 56 which are able to store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random-access memory (RAM) and so on), which are connected to the system bus 23 via the controller 55 .
- solid state drives, flash memory cards, digital disks, random-access memory (RAM) and so on which are connected to the system bus 23 via the controller 55 .
- the computer 20 has a file system 36 , where the recorded operating system 35 is stored, and also additional program applications 37 , other program modules 38 and program data 39 .
- the user is able to enter commands and information into the personal computer 20 by using input devices (keyboard 40 , mouse 42 ).
- Other input devices can be used: microphone, joystick, game controller, scanner, and so on.
- Such input devices usually plug into the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but they can be connected in other ways, for example, with the aid of a parallel port, a game port or a universal serial bus (USB).
- a monitor 47 or other type of display device is also connected to the system bus 23 across an interface, such as a video adapter 48 .
- the personal computer can be equipped with other peripheral output devices (not shown), such as loudspeakers, a printer, and so on.
- the personal computer 20 is able to work in a network environment, using a network connection to one or more remote computers 49 .
- the remote computer (or computers) 49 are also personal computers or servers having the majority or all of the aforementioned elements in describing the nature of a personal computer 20 , as shown in FIG. 4 .
- Other devices can also be present in the computer network, such as routers, network stations, peer devices or other network nodes.
- Network connections can form a local-area computer network (LAN) 50 and a wide-area computer network (WAN). Such networks are used in corporate computer networks and internal company networks, and they generally have access to the Internet.
- LAN or WAN networks the personal computer 20 is connected to the local-area network 50 across a network adapter or network interface 51 .
- the personal computer 20 can employ a modem 54 or other modules for providing communications with a wide-area computer network such as the Internet.
- the modem 54 which is an internal or external device, is connected to the system bus 23 by a serial port 46 . It should be noted that the network connections are only examples and need not depict the exact configuration of the network, i.e., in reality there are other ways of establishing a connection of one computer to another by technical communication modules.
- the systems and methods described herein may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the methods may be stored as one or more instructions or code on a non-transitory computer-readable medium.
- Computer-readable medium includes data storage.
- such computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM, Flash memory or other types of electric, magnetic, or optical storage medium, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures that can be accessed by a processor of a general purpose computer.
- module refers to a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of instructions to implement the module's functionality, which (while being executed) transform the microprocessor system into a special-purpose device.
- a module can also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software.
- a module can be executed on the processor of a general purpose computer (such as the one described in greater detail in FIG. 3 above). Accordingly, each module can be realized in a variety of suitable configurations, and should not be limited to any particular implementation exemplified herein.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Description
-
- if the vulnerability rating is higher than 60, the security module excludes the query requesting the classified data;
- if the vulnerability rating is higher than 80, the
security module 115 prohibits user's 105 interaction withdata storage 130; - if the
user 105 and thedata storage 130 are located in countries, between which classified data transmission is prohibited, thesecurity module 115 prohibits the user's 105 queries to thedata storage 130; - if
abnormal user 105 activity is detected, thesecurity module 115 notifies user's 105 supervisor; - if the vulnerability rating is higher than 20 and abnormal user activity is detected, the
security module 115 requires additional authentication for the query to be allowed to be sent to thedata storage 130;
-
- Suppress from the set of results all the values, if the query is sent between 6 p.m. and 9 a.m.;
- Suppress from the set of results values with Row ID “Nuclear reactor features” if the user's name is “John Doe”;
- Suppress from the set of results values with Timestamp earlier than January 2010;
- Suppress from the set of results all the values, if user's IP mask is not 180.93.255.255.
Claims (17)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/811,996 US9224006B1 (en) | 2015-07-29 | 2015-07-29 | System and method of secure data access |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/811,996 US9224006B1 (en) | 2015-07-29 | 2015-07-29 | System and method of secure data access |
Publications (1)
Publication Number | Publication Date |
---|---|
US9224006B1 true US9224006B1 (en) | 2015-12-29 |
Family
ID=54932428
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/811,996 Expired - Fee Related US9224006B1 (en) | 2015-07-29 | 2015-07-29 | System and method of secure data access |
Country Status (1)
Country | Link |
---|---|
US (1) | US9224006B1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190286828A1 (en) * | 2018-03-19 | 2019-09-19 | International Business Machines Corporation | Fine-grained privacy enforcement and policy-based data access control at scale |
US10642979B1 (en) * | 2019-09-19 | 2020-05-05 | Capital One Services, Llc | System and method for application tamper discovery |
WO2021011122A1 (en) * | 2019-07-16 | 2021-01-21 | Microsoft Technology Licensing, Llc | Cloud-based data access control |
CN113779036A (en) * | 2021-09-18 | 2021-12-10 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, server and storage medium |
CN114244598A (en) * | 2021-12-14 | 2022-03-25 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
US11411991B2 (en) * | 2019-07-09 | 2022-08-09 | Mcafee, Llc | User activity-triggered URL scan |
US11790099B1 (en) * | 2018-02-09 | 2023-10-17 | Microsoft Technology Licensing, Llc | Policy enforcement for dataset access in distributed computing environment |
-
2015
- 2015-07-29 US US14/811,996 patent/US9224006B1/en not_active Expired - Fee Related
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11790099B1 (en) * | 2018-02-09 | 2023-10-17 | Microsoft Technology Licensing, Llc | Policy enforcement for dataset access in distributed computing environment |
US20190286828A1 (en) * | 2018-03-19 | 2019-09-19 | International Business Machines Corporation | Fine-grained privacy enforcement and policy-based data access control at scale |
US11816234B2 (en) * | 2018-03-19 | 2023-11-14 | International Business Machines Corporation | Fine-grained privacy enforcement and policy-based data access control at scale |
US11411991B2 (en) * | 2019-07-09 | 2022-08-09 | Mcafee, Llc | User activity-triggered URL scan |
WO2021011122A1 (en) * | 2019-07-16 | 2021-01-21 | Microsoft Technology Licensing, Llc | Cloud-based data access control |
US10642979B1 (en) * | 2019-09-19 | 2020-05-05 | Capital One Services, Llc | System and method for application tamper discovery |
CN113779036A (en) * | 2021-09-18 | 2021-12-10 | 深圳市元征软件开发有限公司 | Access control method and device for fault code library, server and storage medium |
CN114244598A (en) * | 2021-12-14 | 2022-03-25 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
CN114244598B (en) * | 2021-12-14 | 2024-01-19 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9224006B1 (en) | System and method of secure data access | |
Terzi et al. | A survey on security and privacy issues in big data | |
Mousa et al. | Database security threats and challenges | |
Achar | Cloud Computing Security for Multi-Cloud Service Providers: Controls and Techniques in our Modern Threat Landscape | |
Viega | Building security requirements with CLASP | |
Bann et al. | Trusted security policies for tackling advanced persistent threat via spear phishing in BYOD environment | |
US20160036812A1 (en) | Database Queries Integrity and External Security Mechanisms in Database Forensic Examinations | |
Al-Sayid et al. | Database security threats: A survey study | |
Bamrara | Evaluating database security and cyber attacks: A relational approach | |
US20210243223A1 (en) | Aggregation and flow propagation of elements of cyber-risk in an enterprise | |
Hassan et al. | Latest trends, challenges and solutions in security in the era of cloud computing and software defined networks | |
Singh et al. | A review report on security threats on database | |
Omotunde et al. | A Comprehensive Review of Security Measures in Database Systems: Assessing Authentication, Access Control, and Beyond | |
Teimoor | A review of database security concepts, risks, and problems | |
RU2724713C1 (en) | System and method of changing account password in case of threatening unauthorized access to user data | |
Gaddam | Securing your big data environment | |
Meriah et al. | A survey of quantitative security risk analysis models for computer systems | |
US20230179635A1 (en) | Enhanced zero trust security systems, devices, and processes | |
Srinivasan et al. | State-of-the-art big data security taxonomies | |
Kadebu et al. | A security requirements perspective towards a secured nosql database environment | |
Metoui | Privacy-aware risk-based access control systems | |
Bolívar et al. | Modeling cloud computing security scenarios through attack trees | |
Shivakumara et al. | Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention | |
Kabir | Data Centric Security | |
Younis et al. | Cloud Computing Security & Privacy Challenges |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: KGSS, INC., VIRGINIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FIRESTONE, ADAM C.;REEL/FRAME:036205/0377 Effective date: 20150708 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
FEPP | Fee payment procedure |
Free format text: SURCHARGE FOR LATE PAYMENT, LARGE ENTITY (ORIGINAL EVENT CODE: M1554); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20231229 |